Customers may go to
http://www.x-ways.net/winhex/license.html
for download links, the latest log-in data, details about their access to updates, etc. Those customers whose
access to updates or license has
expired can receive upgrade/renewal offers from there.

Please be reminded that if you are interested in receiving information about
service releases when they become available, you can find those in
the
Announcement section of the
forum
and (with active access to updates) can subscribe to them, too, by creating
a forum profile. Please note that if you wish or need to stick with an older
version for a while, you should at least use the last service release of that version.
Yes, really.

Please sign up for our training newsletter
here
if you would like to be kept up to date on classes in the USA, Canada, Europe,
and/or
Asia/Pacific.

What's new in v19.5?(please note that most changes
affect X-Ways Forensics only)

Case Management

A new command in the case context menu allows to
import evidence objects from another case into the current case, for
example when you wish to merge different cases (that may have been
worked on by different users to split up the workload) into a single
case. Only tagged evidence objects are imported, i.e. those displayed
with a light bulb in their original case. This will also import
(actually: copy) an evidence object's volume snapshot with report table
associations, comments, bookmarks, search hits, indexes, events, RAID
reconstruction parameters, time zone selection, and much more, but not
volume snapshot backups and not the users (examiners) of the other case
and the distinction between their own report table associations and
search hits. The timestamp recorded when the evidence object was added
to the original case will be taken over into the new case. The current
user who conducts the import will absorb those results. The unique IDs
of files will be different in the new case. However, report table
associations for that evidence object can be exchanged (exported and
imported) between the source and the destination case because the volume
snapshot IDs and internal IDs are retained.

The command to import an evidence object from another
case can also be used to simply duplicate an evidence object in the same
case. Simply select the .xfc file of the currently active case to do
that for the tagged evidence objects. This can be useful to maintain and
see and compare two volume snapshots at the same time, experiment with
file header signature searches with untested signature definitions etc.

When trying to open an evidence object of a case that
is backed by an image file and the image file cannot be found, X-Ways
Forensics now automatically offers to open the evidence object without
image, just like with the corresponding context menu command in the Case
Data window. Useful if the image is not accessible right now (or has
been deleted/lost completely) and you wish to just peek at the file
listings, report table associations, your own comments, hash set
matches, extracted metadata etc.

File Format Support

Safari Cache.db: Preview includes information as to
where the data of each record is stored (filesystem or Cache.db).
Prevents dummy data from being exported when data is not stored within
the database. Support for a previous schema of the Safari cache
database.

Metadata and event extraction from SRUDB.dat, i.e.
the activity captured by the system resource usage monitor (SRUM). You
can see the processes started over time, listed with their owners, and a
lot of statistics. Network usage activity by each process is extracted
as well. The extracted information can be useful to pinpoint the moment
of a possible intrusion or the process that caused an intrusion. The
information is presented in detailed HTML child object files and as
events in the event list. Individual event types for SRUDB make it
easier to filter for particular resource usage types.

Ability to display some rare black & white PNG
pictures with the internal graphics viewing library that were not
supported previously.

The type of a user account (administrative user, user
only, or guest account) is now mentioned in the Windows registry report..

File System Support

Recognizes files that were encrypted in FAT and exFAT
volumes by Windows 10 with EFS as encrypted.

"Read uninitialized areas as zeroes" is now a 3-state
check box. If fully checked, it has an effect on all read operations
except logical searches, indexing, and search hit context preview. If
half checked, it has an effect on all read operations except those three
and on how files contents are presented in File mode and in separate
data windows. If checked (fully or half), that is a useful setting to
achieve file hash compatibility with ordinary (user level) Windows
applications. If not checked at all, that is the setting required for
hash compatibility with ordinary forensic tools, and it causes all
file-specific read operations to return the data that is stored in the
allocated (but uninitialized) clusters from previous usage, for example
also for the Recover/Copy command.

Files in NTFS volumes that have grown or shrunk and
whose previous file size is known from the FILE record now get their
previous file size shown in the Info pane.

Directories can now be previewed. The preview of a
directory shows that directory's subdirectories as a tree and optionally
the respective file counts. It may be truncated if the amount of time to
put together the preview exceeds a certain limit, to avoid long delays
when navigating in the directory browser. If you need a complete
preview, you can hold the Shift key when switching to Preview mode for a
given directory, or you can use the "Export subtree" context menu
command in the Case Data window instead.

Volume Snapshot Processing

Ability to run file header signature searches not
only in files whose names or types match a certain file mask, but
optionally also all files of unknown type.

When analyzing or recovering a previous instance that
employs additional threads, it is now possible to select one of those
worker threads instead of the main thread.

Ability to run X-Tensions as part of a volume
snapshot refinement that is triggered from the command line.

Ability to run a simultaneous search neither in the
original file contents nor in the directory browser metadata cells, but
only in the decoded text of documents.

Fast re-matching specifically of selected and tagged
files against a hash database even when there are lots of matches in the
volume snapshot already.

Check box to do FuzZyDoc matching "again" for files
that were matched against the FuzZyDoc hash database already before.

Ability to export, import and merge FuzZyDoc hash
sets. The result of the export can be used with the import function or
alternatively is also valid as a stand-alone database by itself.

Directory Browser Commands & Options

New directory browser context command Navigation |
Seek Path helps to locate a file or directory in the directory browser
whose full path you specify.

Duplicate files can now also be identified based on
the textual representation of dates in some of date columns, and how
many characters in these columns and in the Name column are compared is
optional.

That previously existing files are represented with
the Hidden attribute (H) when mounting as a drive letter is now
optional.

Hierarchical indention in the Export List command can
now be stronger (fully checked) or not so strong (half checked).

The Hash category filter can now target uncategorized
files.

Recover/Copy now uses the same notation options as
the Export List command.

Options of the Print command reorganized. In
particular it is now easy to print *only* a cover page, not the actual
file, if you are mainly interested in a printout of the metadata and
your own comments.

The print cover page now better utilizes the page
width.

There is now an option to print a preview of the file
(picture or non-picture) at the bottom of the cover page. The format of
this preview depends on the settings of the viewer component in Preview
mode, e.g. "Best Fit" or "Actual Pixels" or "Fit to Window Width" etc.
This is a 3-state check box. If only half checked, the preview is
printed in much lighter colors, either to save ink/toner or to improve
readability of the metadata fields if you output many of those and they
spill over onto the preview.

Directories can now also be printed. The printout
shows exactly the same as Preview mode.

When filters are applied to directories, too, that
now concerns only suitable filters. Filters that do not make sense to
apply to directories (Type, Type Status, Hash, Hash Set, Author, ...)
are not applied.

If "List directories when exploring recursively" is
half checked, i.e. when directories are not needed for navigation, just
of interest if they match filters of interest, that now means that
directories will only be listed if only filters are active that are
actually applicable to directories (Name, timestamp filters, Owner, Int.
ID, Attributes, ...) and if those filters let directories pass through.
If for example both the Name filter and the Type filter are active at
the same time, directories will not be listed, because even if they
satisfy the Name filter, they cannot possibly satisfy the Type filter
(directories do not have a file type). But if the Name filter is on and
the filter for timestamps, then directories are listed if they match
both filter conditions.

By default, the Path column now displays a partial
path from the current exploration base when exploring recursively. That
is the same path that you would get with the Recover/Copy command when
reproducing a partial path only. Useful for example if you wish to share
directory listings including subdirectories with someone (Export List
command), distinguishing files in different subdirectories, without
revealing the complete path of the files (e.g. on your own storage
drive).

The directory browser settings including all filters
can now also be saved and loaded from within the system menu of the
Directory Browser Options dialog window.

User Interface

An additional column shows the unique ID formatted
and extended as a GUID, for users who need to have a GUID for each file
in their cases. The GUID can also be used to name output files in the
case report and in Recover/Copy.

A new directory browser column shows the number of
search hits in a file.

Additional columns after "Recipients" show To:, Cc:,
and Bcc: recipients of e-mails and e-mail attachments separately.

The generator signature, which is known from the
Metadata column, is now additionally presented in its own separate
column, for sorting purposes, which may allow to identify logical
connections.

The dialog window that allows to define keyboard
shortcuts is now accessible from the General Options, no longer from the
Directory Browser Options.

The height of the Directory Browser Options dialog
window has been shrunk, so that it should now fit on the screen even on
laptop computers with unnecessarily high DPI settings in Windows 10 or
generally on displays or projectors with a poor vertical resolution.

A new option in Options | Viewer Programs allows to
provisionally clean up after GDI font object leaks as exhibited by the
viewer component when loading some rare files, in the x64 edition only
(possibly functional also in the x86 edition in an x86 Windows as well,
but that was not tested). This prevents graphical errors in the user
interface as well as program instabilities and freezes. Users who have
encountered such rare files occasionally because they view/preview so
many files or extensively use the gallery with thumbnails of non-picture
files are encouraged to switch to v19.5 early.

WinHex Lab Edition now allows to use File mode.

In WinHex with a specialist license or less, the
legend can now be displayed with a command in the Access button popup
menu, and toggling between recursive and normal exploration is also
possible now with a command in that menu.

Details mode now has a sub-mode, which can be
activated by pressing the new "IM" button, which shows ONLY the internal
metadata of a files. That makes it more efficient to check multiple
files for that kind of metadata without having to scroll. In particular
this is useful for forensic review of photos, to check the Exif data.
Also new: Values in the internal metadata of JPEG files that have X-Ways
Forensics thinks have changed/are not original are highlighted in blue
color.

A Tooltips.txt file with tooltip assistance for many
check boxes in various dialog windows has been compiled by Michael
Yasumoto, thankfully, copied verbatim from the explanations in the
English language program help / user manual, and is available for
download now, for users of X-Ways Forensics and X-Ways Investigator,
from the “Additional resources” directory (download URLs available from
here as always).
Tooltip text truncations after 512 characters are normal and by design.

When defining German as the language of the user
interface, users can now choose to get almost all occurrences of the
letter ß replaced with ss. Useful especially (but not only) for
customers in the German speaking parts of Switzerland.

Miscellaneous

X-Ways Forensics, X-Ways Investigator and WinHex Lab
Edition now support a new API called the Image I/O API. It's described
at http://www.x-ways.net/forensics/x-tensions/Image_IO_API.html and
allows interested parties to add support for other physical disk image
formats. It is even possible to add alternative support for an already
supported image type, for example certain virtual machine disk images
with currently unsupported special features or segmented raw images with
a currently unsupported segment filename scheme. When such DLLs are made
available by trusted sources, users would just add them to the
installation directory of X-Ways Forensics. They have to be named
Image*.dll, and will be loaded automatically by the program. (Adding
them to the installation directory is considered to signify consent for
that.)

X-Tensions API: XWF_ITEM_INFO_ATTR of the
XWF_GetItemInformation function now documented.

Many minor improvements.

User manual and program help updated for v19.5.

Changes of service releases of v19.4

SR-1: The Simultaneous Search as invoked from Refine
Volume Snapshot did not work when RVS was triggered from the command
line. That was fixed. (The fix will also be included in v19.1 SR-10,
v19.2 SR-8, and v19.3 SR-8.)

SR-6: Fixed a rare exception error that could occur
when taking volume snapshots of HFS+ volumes.

SR-6: The logical simultaneous search would not run
in WinHex with a specialist license in v19.4. That was fixed.

SR-7: Skipping hash databases when matching hash
values did not always work in v19.3 and v19.4. That was fixed.

SR-7: Fixed an infinite loop that could occur under
rare circumstances when opening files in TAR.GZ archives.

SR-7: Fixed an exception error that could occur when
processing certain e-mail messages in v19.4 SR-6.

Thank you for your attention! We hope to see you soon somewhere on
http://www.x-ways.net or on our
Facebook page.
You may also follow us on
Twitter! Please forward this newsletter to anyone who you think will be interested.
If you wish to subscribe with another e-mail address, please do so
here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 3232257 Bünde

#156: X-Ways Forensics,
X-Ways Investigator, WinHex 19.4 released

Sep 6, 2017

This mailing is to announce the release of
another notable update with many notable improvements, v19.4.

Customers may go to
http://www.x-ways.net/winhex/license.html
for download links, the latest log-in data, details about their access to updates, etc. Those customers whose
access to updates or license has
expired can receive upgrade/renewal offers from there.

Please be reminded that if you are interested in receiving information about
service releases when they become available, you can find those in
the
Announcement section of the
forum
and (with active access to updates) can subscribe to them, too, by creating
a forum profile. Please note that if you wish or need to stick with an older
version for a while, you should at least use the last service release of that version.
Yes, really.

Please sign up for our training newsletter
here
if you would like to be kept up to date on classes in the USA, Canada, Europe,
and/or
Asia/Pacific.

What's new in v19.4?(please note that most changes
affect X-Ways Forensics only)

File Listing/Reporting

The Recover/Copy command now allows to name output
files optionally not only after their unique IDs, but after any other
column in the directory browser, such as hash value, ID, comment, offset
in the file system etc. etc. Such metadata information can also be
prepended or appended to the name, which for example could be useful to
do with alternative name, existence status, report table, timestamps,
author, sender, description, attributes, analysis result, hash set, ...
If the cell text consists of multiple lines (e.g. comments or metadata
column), only the first line is used. Blackslashes in the path columns
are automatically replaced with underscores. That allows to name a file
after its complete original path.

Several more columns of the directory browser are now
offered for grouping in the Recover/Copy command, such as Evidence
object, Analysis, Dimensions, Comments, Sender, Recipients, and many
others. Please note that grouping by evidence object has always been
possible when recovering files from the case root with a partial path,
long before the special grouping option was introduced, but that
possibility, although available and documented from day one, has been
overlooked by some users, even when they asked and were explicitly told
about it, and it has now been removed (now only when recovering files
from the case root with a full path).

It is now possible to limit the Recover/Copy grouping
directory name to a certain number of characters. That could be very
useful for example in order to group files by year (the first four
characters in creation or modification timestamps, given suitable
notation settings) or to simply to split up a huge number of output
files into roughly equally large subdirectories (with the first one or
two characters of the hash value, for 16 or 256 such subdirectories),
based on the law of large numbers, or simply to reduce the risk of
overlong paths.

When files are copied to include them in the case
report, they can now be named not only after their original name or
unique ID, but also after hash values and various other more or less
unique properties. If those happen to be blank, the original name will
be used.

Sorting by full path now ensures the correct
hierarchical order with child objects following their respective parent
objects even if some parent files or directories or e-mail messages have
the exact same name.

The Full Path filter now supports asterisks at the
end of each line. For example, \Windows\Prefetch\* matches all files in
the directory \Windows\Prefetch.

When exporting a list of files or directories along
with their child objects sorted by full path, so that child objects
directly follow their respective parents, in TSV or HTML format, a new
option called "Indention" allows to indent the names of the child
objects so that it is easy to see in the output which objects are child
objects of which other objects even when not looking at or when not even
including the potentially very long full path as an additional column.

"List directories when exploring recursively" is now
a 3-state check box and by default half-checked. In that state
directories are listed when exploring recursively only if a non-trivial
filter is active (non-trivial = for more than just not excluded items)
and when actually applying filters to directories, too. In this
combination the user is potentially interested in directories because
they may have certain timestamps or names etc. of interest, but in
ordinary situations probably not, so this new middle state could be a
very good compromise.

Grouping files and directories is now a 3-state check
box and by default groups only when not exploring recursively, i.e. only
when directories are needed for navigation and thus expected at the top
of the list.

Carved files can now be filtered with the Description
column filter as a special kind of previously existing files, which
should be more logical and internally slightly faster.

File Type Support

X-Ways Forensics and WinHex Lab Edition now have a
special highlighting feature for file header signatures, right in the
hex display (X-Ways Forensics: Disk/Partition/Volume and File mode). The
identification is done by matching the raw GREP-enabled expressions in
"File Header Signatures Search *.txt" to every single offset in the
currenly visible page. The enhancing effect of the "~" algorithms, which
often can identify false positives or further distinguish between
different subtypes during file header signature searches, is not
applied, though. This new feature can be enabled or disabled in Options
| General, in the automatic coloring section on the right. If only half
selected, signatures will only be searched and highlighted at sector
boundaries. Generally this kind of highlighting will help you spot start
positions of well known data/file types, even if embedded within one
another, immediately, for example thumbnails in JPEG files, individual
records in zip archives, TIFF signatures in Exif metadata, certificates
in Windows Registry hives, etc. etc.

FILETIME highlighting is now separately selectable
and not covered by the MFT FILE record auto coloring option any more.

New flag for file header signature definitions: "H"
means that a definition is meant only for the new highlighting feature,
not for regular file header signature searches or for file type
verification. Such definitions only require three pieces of information:
The keyword or GREP expression, the relative offset (typically 0) and
the flag "H". The description at the start of the line is optional, but
recommended because the color depends on the description, and for
different descriptions you will likely see different colors. You could
even create a dedicated text file, for example named "File Type
Signatures Search Highlighting.txt", that defines various keywords or
GREP expressions that you are always interested in and would like to get
highlighted immediately in every case even before running appropriate
searches. Also useful if you analyze or reverse-engineer file formats,
where for example records do not have a fixed length (so that the record
presentation option in WinHex is not applicable), but are identifiable
by signatures.

New flag for file header signature definitions: "A"
means that a definition heavily depends on the associated algorithm (the
one defined with the ~ character) and is too generic for identification
without it. Thus the new highlighting feature will not use signatures
with the "A" flag.

Ability to view or preview certain password-protected
documents if the password is available. Only certain encryption variants
of Microsoft Office and PDF documents, Microsoft Outlook PST 97-2013,
and Zip files are supported. When previewing such a file, the password
will be taken from the Metadata cell of that file (if available from
there in a line that starts with "Password: ") or otherwise all
passwords from the currently active case's password collection will be
tried automatically. If one of the passwords from the password
collection matches, it will be remembered in the Metadata cell of the
file for future re-use and the user's information. When viewing such a
file, if no matching password is found, the user will be additionally
prompted for the password repeatedly until he or she provides the
correct password or gives up (clicks Cancel).

The file format specific encryption test now
automatically tries the passwords in the current case's password
collection with such files as well and remembers the matching password,
if any, in the file's Metadata cell.

Metadata extraction revised for MS Word documents.
The “content created” timestamp is now provided for more files than
before. There are two new metadata fields called "Format version" and
"Generator". The generator is not necessarily MS Word itself, but could
be Open Office. "Product created" is now output with a 2-digit year so
that it is easier to recognize as a timestamp.

"Content created" timestamps can now be provided for
some more PDF documents as some more special coding variants are now
supported.

More thorough extraction of messages from certain
Skype databases. The presentation of the conversation was simplified and
duplicate information removed. The individual conversations in the chat
files are now listed in one consecutive table with highlighted
indicators when each conversation started or ended. This improvement is
also retroactively applied to v19.3 through v19.0 in service releases
after July 10, 2017.

Ability to view Windows 10 Prefetch files under
Windows 7 with a work-around offered by X-Ways Forensics when the user
tries to do that.

Better file carving results for RAR, large PST, 7Zip,
DWF, and JPEG.

Better carving results for large embedded data in
other files.

New file type "vdata" defined in the Special
Interest category, for picture and video files that were specially hidden by an
Android app called Vaulty.

Support for a new version of Windows Thumbcache
files.

Output of the official InstallDate of a Windows 10
installation from the SOFTWARE hive in addition to the SYSTEM hive's
original "Source OS *" InstallDate if present as an "Upgrade" timestamp
in the properties of newly added evidence objects, so that users find
both dates there and don't suspect a bug in X-Ways Forensics if the
installation date that they think is correct does not match the date
shown. Anyway, for more complete information please generate the
registry report.

File System Support

Ability to decompress "WofCompressed" executable
files as compressed by the CompactOS feature of Windows 10 in NTFS, with
WinHex Lab Edition, X-Ways Investigator and X-Ways Forensics. Such files
are recognized as WofCompressed by X-Ways Forensics since v19.1 and
marked in the Attr. column with P and ~.

In NTFS volumes and in evidence file containers in
raw format the "Wipe securely" command in the directory browser context
menu in WinHex (X-Ways Forensics only when running as WinHex) can now
optionally also wipe the main file system level metadata / the defining
file system data structures of selected files (in containers the only
such metadata), in addition to the file contents. If you would like to
do that, just check the new box "Initialize MFT records". This option
has no effect on files in other file systems or files that are embedded
in other files or carved files.

Ext4: For files whose contents are not
defined/initialized at the end, the valid data length of files is now
displayed in File mode. Undefined data somewhere in the center of the
file are disregarded by this function.

In newly taken snapshots of Ext3* volumes, the vast
majority of files that utilize sparse storage or that are only partially
initialized are marked as such in the Attr. column immediately. Some
very few files will be identified as such once they were opened for
reading/searching/processing.

The actually (but not officially) unused area at the
end of the last block of a directory in Ext* file systems is now nicely
highlighted like slack space in File mode, and once opened (for File
mode or logical searches or whatever) the logical size of the directory
will also be reflected in the volume snapshot (visible in the directory
browser's Size column only if recursive selection statistics are
disabled).

Previous releases potentially missed some files in
newer variants of XFS file systems. A tentative fix for that has now
been applied.

Those few extended attributes in HFS+ that contain
only short plain text are now output in the Metadata column instead of
as child objects.

Many hardlinked dir_* directories in .HFS+ Private
Directory Data in HFS+ now point back to their first source as a
so-called related item. This information is based on extended attributes
of the "firstlink" type.

The volume snapshot option "Include EA in snapshot"
for extended attributes in HFS+ file systems has been revised and
renamed to "Complete output of EA". By default, it is not checked. All
extended attributes deemed relevant by X-Ways Forensics are still
processed and output either in the Metadata column if they are textual
in nature (that is new) or as file contents of resident or compressed
files or as links to related directories, or as child objects that are
marked in the Attr. column with (EA). If the new option is half
selected, "firstlink" attributes and "quarantine" attributes are output
in the Metadata column additionally. If the new option is fully checked,
even empty binary PLists and ordinary "Security" attributes are output
as child objects.

The extra effort that X-Ways Forensics makes to
include deleted objects in FAT32 file systems correctly in the volume
snapshot since v19.3 is now optional (see Options | Volume Snapshot). If
only half checked, the extra effort is made only for subdirectories, not
files.

The Technical Details Report for a physical disk with
GPT partitioning now includes the unique partition GUIDs.

Miscellaneous

Previously, search hits for identical search terms
were always merged and made accessible through the same item in the
search term list. This is useful for example when running searches for
the same keywords / GREP expressions incrementally (in multiple runs) in
different evidence objects. Now there is a new box on the left-hand side
of the Simultaneous Search dialog window, which you can UNcheck in order
to always produce a new item in the search term list, even if the
keyword that you are looking for is identical to a previously used
keyword or a keyword in the same run. This is useful if you run the
searches with different settings (e.g. same keyword as a whole word and
not as a whole word at the same time), in order to be able to
distinguish the resulting search hits later.

The file mask for "Use associated program for
viewing..." now takes precedence over the internal graphics display
library and (if it's a video) even the specified preferred video player
(which may be different from the program associated with a particular
video file type).

A new command line parameter named "Override" was
introduced, which overrides message boxes and dialog boxes until the
last command line parameter has been processed. The text of those boxes
will be output to the Messages window (and thus indirectly also to
msglog.txt, unless disabled), and either an automatic click on OK will
be simulated (if the parameter is "Override:1") or a click on Cancel (in
case of "Override:2"). If a message box has only one button, it does not
matter which parameter value was specified. All of this helps to avoid
interruptions and delays of automatic processing when the program is
waiting for user input.

The default setting and recommended behavior (if no Override parameter
is specified) is like "Override:0", where message boxes and dialog boxes
are shown normally and potentially alert the user of critical error
conditions and anomalies such as incomplete images, undetectable image
format etc. The parameter takes effect immediately upon start-up, before
regular processing of other parameters begins, even if the Override
parameter is specified last in the command line.

The Override parameter also outputs the entire
command line to the Messages window (even with the value "0"), and this
happens at a time that depends on the position of the parameter within
the command line. This allows users who study the log later to know what
the simulated response to the suppressed message boxes and dialog boxes
was.

Ctrl+Alt is identified as different from Alt Gr and
can now be selected as a base key combination for user-defined keyboard
shortcuts.

The X-Tension API function XWF_OutputMessage now has
a flag that allows to output the message to the case log instead of the
Messages window.

3-state check boxes now have the superscript 3 next
to the box instead of after the text label, which looks more tidy.

Users can now define their own tooltips for four
types of control items (check boxes, radio buttons, drop-down
boxes/combo boxes, and ordinary push buttons except "OK", "Cancel", and
"Help"). This is done by clicking such items with the Shift key pressed
and can be useful for personal notes and ideas, so that you can describe
and better remember your preferred settings for different situations and
their meaning. The tooltip texts will be stored in a file named
Tooltips.txt and can be shared with other users, for example within an
organization to remind your colleagues of which settings should be used
according to your defined standards. Tooltip texts are stored in
Unicode, may be up to 510 characters long, and may contain line breaks
for formatting purposes. You can tell that a user-defined tooltip is
available for a control item if it has a gray asterisk on its left.

Immediate effect when changing the setting for a
case-specific temp directory.

SR-1: Fixed an exception error that could occur with
certain settings when producing thumbnails of non-picture files for the
report.

SR-1: More debug information output for certain
errors.

SR-1: Some minor improvements and fixes.

SR-2: More generator signatures defined.

SR-2: Ability to add images to an existing case
through the command line. The first parameter for that is the path of
the .xfc case file, and the next parameter is the usual AddImage
command.

SR-2: The program no longer suggests to subscribe to
the newsletter if run with command line parameters.

SR-2: Fixed an error that could occur in v19.3 when
carving files in Ext2/Ext3 volumes.

SR-2: Some document excerpts were not extracted from
the Windows.edb database correctly any more. That was fixed.

SR-3: Fixed potential error messages about failing to
write into a file when processing SQLite databases.

SR-3: Fixed "... is an invalid character" error
message during the particularly thorough file system data structure
search in NTFS volumes in v19.3 for users with special regionally
preferred digit grouping characters such as a non-breaking space.

SR-3: In v19.3, particularly thorough file system
data structure searches for FILE records failed with an exception error
on volumes whose treatment as NTFS the user had to force for example
because they were reformatted with another file system. That was fixed.

SR-3: The internal marking of carved files changes
with this service release, for future compatibility with v19.4, so older
versions or releases will not describe carved files as carved files when
they load volume snapshots previously opened or created by this release.

SR-4: Ability to open Linux block devices with Tools
| Open Disk under Wine. Internally this requires interpretation of the
files as disks, just like with raw image files, and thus works only in
WinHex with a specialist license, WinHex Lab Edition, X-Ways
Investigator and X-Ways Forensics. The device storage capacity is
determined automatically, the sector size not necessarily.

SR-4: Creating report table associations based on
matching hash sets did not work on multiple files in v19.3 if no second
hash database existed. That was fixed.

SR-4: Fixed an exception error that could occur when
processing TAR archives.

SR-4: The investigator.ini file had no effect in
X-Ways Investigator v19.2 and v19.3. That was fixed.

SR-5: Superimposition now has an effect on a
partition again if the superimposition was applied to that partition
directly instead of to the disk from within which the partition has been
opened.

SR-5: Under very specific circumstances, files stored
in Ext4 file systems were opened as corrupted despite being intact. The
areas affected would have been displayed as sequences of binary zeroes.
This was fixed.

SR-5: Simultaneous search: GREP set syntax (square
brackets) now works in conjunction with the "MS Outlook cipher based on
UTF-16" code page.

SR-5: In HFS+ volumes with many extended attributes
not all of them were parsed. That was fixed.

SR-7: Deactivating the FlexFilters after they were
both active and combined with a logical OR rendered filtering
non-functional. That was fixed.

SR-7: Fixed an error in conversion from binary to
Intel Hex and Motorola S format that existed since v18.9.

SR-7: Internal functioning of the Tools | Compare
command improved.

SR-7: Ability to fully decompress some compressed
files in HFS+ that could not be fully decompressed previously.

Thank you for your attention! We hope to see you soon somewhere on
http://www.x-ways.net or on our
Facebook page.
You may also follow us on
Twitter! Please forward this newsletter to anyone who you think will be interested.
If you wish to subscribe with another e-mail address, please do so
here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 3232257 Bünde

#155: X-Ways Forensics,
X-Ways Investigator, WinHex 19.3 released

Jun 14, 2017

This mailing is to announce the release of
another notable update with many, many important improvements,
v19.3.

Customers may go to
http://www.x-ways.net/winhex/license.html
for download links, the latest log-in data, details about their update
maintenance, etc. Those customers whose update maintenance or license has
expired can receive upgrade/renewal offers from there.

Please be reminded that if you are interested in receiving information about
service releases when they become available, you can find those in
the
Announcement section of the
forum
and (with active access to updates) can subscribe to them, too, by creating
a forum profile. Please note that if you wish or need to stick with an older
version for a while, you should at least use the last service release of that version.
Yes, really.

Every now and then we still receive a request about a
replacement of a lost or stolen uninsured dongle although we have pointed
out many times that we do not replace such dongles. We ask for your
understanding that we provide only 1 working dongle per license, not as many
as customers want. We have never made an exception in our entire company
history. Anyone who still asks for a replacement of a lost dongle that was
not insured will forfeit their chance for a good-will discount on the
purchase of a new license.

Please sign up for our training newsletter
here
if you would like to be kept up to date on classes in the USA, Canada, Europe,
and/or
Asia/Pacific.

What's new in v19.3?(please note that most changes
apply to
X-Ways Forensics only)

File System Support

If the file header signature search in volumes with a
supported file system other than Ext2/Ext3 finds the start of a file in
free space, at a cluster boundary, the data is now by default assumed to
flow around potentially following clusters that are marked by the file
system as in use. This will correctly reconstruct files that were
created after and stored around other files and then deleted, as long as
the released clusters were not re-used and overwritten afterwards. To
prevent file carving purely in free space this way, i.e. to make it work
as in previous versions, you can UNcheck the new option "Carve files in
free clusters around used clusters". This option takes effect only at
the moment when files are added to the volume snapshot, not
retroactively for files that were added previously. Carved files purely
in free space retain the storage location that was assumed when they
were added to the volume snapshot even if the option is changed
afterwards. However, older versions of X-Ways Forensics will not
understand that certain files are assumed to flow around allocated
clusters and thus would present them as contiguous files as usually when
they work with the same volume snapshot.

If the file carving definition has the strong greedy
flag ("G"), after carving a file that flows around allocated clusters,
the file header signature search will only skip first fragment of the
carved file. The "h" flag for header exclusion prevents the new carving
method from being applied to the affected file types.

The same logic to skip in-use clusters is now by
default also applied to deleted files in volume snapshots of FAT12,
FAT16, FAT32, and exFAT file systems, if not disabled in Options |
Volume Snapshot. That means that data of deleted files is now not
necessarily assumed to be contiguous any more, but assumed to occupy as
many free clusters from the start cluster number as are necessary to
accommodate the known file size, while skipping clusters that are marked
as in use by existing files. If the end of the volume is reached that
way, the next free clusters are taken from the start of the volume,
replicating the built-in logic of typical FAT32 file system drivers to
rotate through the volume on the search for allocatable clusters. As
this volume snapshot option retroactively changes the assumption about
the storage location of files that are already contained in the volume
snapshot, changing this option will also cause hash values to change if
they are re-computed.

Significantly improved ability to recover deleted
files and directories in FAT32 volumes (ability to get the start
location right, in newly taken volume snapshots only).

File mode now offers a "raw" submode for
NTFS-compressed files. In Raw mode you can actually see the compressed
data as well as the sparse clusters, not the decompressed state of the
file. This is useful for research or educational purposes and because
theoretically small amounts of data could have been manually hidden in
the not clearly defined, but implicitly existing slack area of each
compression unit, which follows the compressed payload data.

Reduced the number of false positives when scanning
for lost Ext3/Ext4 partitions.

The "List Clusters" command in the directory browser
context menu has been revised. It can now be applied to some more
"exotic" objects that it could not deal with before, such as certain
embedded files, certain file system area files, and carved files. It
automatically outputs sector instead of cluster numbers for any objects
that are not aligned at cluster boundaries. It outputs the total number
of clusters or sectors even if contiguous series of clusters are
represented in the optional compact fashion. If exported to a text file,
the cluster list is automatically opened in the user's preferred text
editor. The effects of the aforementioned new cluster assignment logic
options are visible in newly populated cluster lists.

The volume snapshot options are now more clearly
structured, split into file system specific settings and file system
independent settings.

There is a new volume snapshot option that causes
X-Ways Forensics to read known uninitialized portions at the end of a
file (valid data length < logical file size) as binary zeroes instead of
as whatever data is stored in the clusters allocated. This mimics the
behavior of Windows when ordinary applications open files through the
operating system instead of reading the contents of the file directly
from the sectors in the volume. Useful for example to achieve hash
compatibility with such applications. This new option does not apply to
read operations for logical searches, so that logical searches remain
forensically thorough and clusters allocated to uninitialized portions
of files are still searched. This option has an immediate effect even on
already opened files, for the next read operation.

File Format Support

Details mode for JPEG files now shows an additional
table at the bottom. This table contains the generator signature as well
as the "condition" of the file, which may be "incomplete" (if the file
was truncated) or "trailing data" (if surplus data was appended to the
JPEG data) or in some cases "original" (if the file is believed with
great certainty to be in a pristine, unaltered state). "Original" is
based on the presence of thumbnails, the absence of color correction
certificates, the absence of unoriginal metadata such as XMP, based on
timestamps, based on artifacts left behind by known editing software,
and on whether a resize operation is detected.

Improved detection of scanned images. The model
designations of known scanning devices can be manually extended in the
section "KnownScanner" of "Generator Signatures.txt". Identification by
model name can help to identify scanned images if they contain Exif data
or were edited. Generally the detection as scanned images is based on 1)
generator signature, 2) generic properties of the Exif metadata
(FileSource, Density, ...) and 3) the KnownScanner list.

Improved detection of screenshots in JPEG format.

Recognition of JPEG files produced by Twitter through
their generator signature.

Checking the passwords in the password collection
provided for file archive exploration is now more thorough, avoiding
some rare false password matches.

Fixed a rare exception error that could occur with
password-protected RAR archives. Fixed another rare exception error in
conjunction with file archive handling.

RAR hybrid files now automatically receive a child
object named "Trailing data" so that no manual effort is required any
more to access the hidden data.

Uncovers embedded data from some more
.vcf files.

Carving method ~109 implemented for Blu-ray videos.

Google Analytics signature moved from the "Special
Interest" category to "Internet", as it has proven to be quite
worthwhile to collect web surfing events.

For UserAssist program executions, the event
description column now has the plain text description after ROT13
decoding.

Ability to interpret image files in TAR archive as
disks without having to copy/extract them out. Very handy for VMDK
virtual machine disks within OVA files (open virtualization archives in
TAR format).

Different e-mail recipient groups (To:, Cc:, and
Bcc:, if present) are now more clearly separated from each other in the
Recipients column and the alternative .eml presentation.

Cc: and Bcc: recipients are now distinguished from
To: recipients in the Recipients column for MSG e-mail files as well.

Timestamps

In the properties of evidence objects with a FAT file
system you can now optionally define which time zone the local
timestamps in that file systems are based on, if you have an opinion
about that. That time zone depends on the settings of the computer or
device that wrote to the file system. (Keep in mind that those settings
may have changed over time and thus a single time zone may not be
adequate to get all timestamps right.) If you define the time zone
reference, file system level timestamps are presented according to the
selected display time zone and not in their original local time any
more. They are internally converted from local time to UTC (based on
your time zone reference) and then from UTC to the display time zone, at
the moment when the timestamps are displayed. The effect is not
permanent, the reference time zone settings can be changed at any time.
The definition of a time zone reference is lost if you open a case in
versions older than v19.3.

When copying files from FAT file systems to an
evidence file container, file system level timestamps of these files are
usually marked in the container as based on an unknown local time zone
so that they will not be time zone adjusted when reviewing the container
in the future. If however you are certain about the original time zone
and define the time zone reference for the source evidence object, the
timestamps are converted to UTC within the container based on the
reference time zone and marked in the container as timestamps in UTC,
permanently. In that state the timestamps later will be adjusted
according to the selected display time zone, even if you change your
mind and change the reference time zone in the source evidence object.
The evidence file container is self-contained and separate from the
source evidence object once files have been copied.

The time zone conversion hints after timestamps in
the directory browser (the number of hours that have been added to or
subtracted from UTC) are now included in tooltips for these cells.

Consistency of timestamp notation and Unicode
capability of timestamp notation improved in a few places in the GUI and
in the case report/log.

As the number of years represented in Calendar mode
is limited, garbage timestamps in the far past can keep you from seeing
the years that you are interested in if you don't set a filter or don't
delete events with garbage timetamps. A new option now allows to set the
minimum year that will be represented by the calendar. Any timestamps in
earlier years will be disregarded by the calendar even if no filter is
active. By default, the minimum year is the year 2000. To change it,
click the number of the first year on the left in Calendar mode.

The Data Interpreter and also templates can now
display and edit FILETIME timestamps with a precision of milliseconds,
depending on the settings in Options | Notation.

Timestamps of files in OS directory listings and
remote network drives are now displayed with higher precision.

Display of internal creation timestamps in the
"Content created" column with millisecond precision, where available.

Searching

The whole words only option of the Simultaneous
Search works with a user-defined alphabet of characters of which words
are composed, in order to identify what a word is and where its
boundaries are. In previous versions, only an alphabet of characters
from the Latin 1 code page was supported (for all Western European
languages). Now an additional alphabet can be defined for letters of
certain other languages. If activated, it is used for searches in UTF-16
and searches in regional ANSI/OEM/IBM/ISO/Mac code pages with only 1
byte character such as for Cyrillic, Greek, Turkish, Arabic, Hebrew,
Vietnamese, and various Central/Eastern/South Eastern European
languages. The Cyrillic alphabet is predefined.

Ability to index words that contain characters with
special GREP meaning, such as #.?()[]{}\*, without masking them, both
with the "range:" prefix and without.

Manual relocation or resize operations on search hits
through the context menu may now exceed 32,767 bytes (up to
2,147,483,647 supported in both directions). Concerning a related
command in the directory browser context menu, the size of carved files
can now be set manually as an absolute number instead of as an
adjustment to the previous size (through the directory browser context
menu). The maximum size supported by this operation is 4,294,967,295
bytes.

Ability to run the simple search functions (Find
Text, Find Hex Values) with the "List search hits" option in File mode
even in evidence objects. The search hits will be collected in the
general Position Manager.

Search hits in the general Position Manager are now
optionally deleted as soon as the general Position Manager is closed, to
avoid confusion as positions in the general Position Manager have no
reference to a particular file or disk and are intentionally applied to
whatever data source is active when invoked. The option can be found in
the Position Manager's context menu.

The XWF_GetItemType function now allows to find out
the detected file format consistency for a file.

The XWF_ShouldStop function now does not only check
whether the user wishes to abort lengthy operations, it also helps to
keep the GUI responsive when the X-Tension is not executed in a separate
worker thread. Calling this function regularly will process mouse and
keyboard input, allow the windows to redraw etc. The user realizes that
the application is not hanging, and potential attempts of the user to
close the progress indicator window will be noticed. Even if you ignore
the result of this function call during lengthy operations conducted by
your X-Tension, you are doing something good already by making the calls
in the first place.

The X-Tension function XWF_CreateEvObj can now add
multiple image files to the case with a single function call.

New X-Tensions API function XWF_GetHashSetAssocs.
Retrieves the name(s) of the hash set(s) that the specified file is
associated with.

Keyboard Shortcuts

It is now possible to define up to 20 custom keyboard
shortcuts for commands in the directory browser context menu and
elsewhere, in a dialog window that can be accessed from within Options |
Directory Browser. Currently available only in X-Ways Forensics.
Shortcuts are meant to increase your productivity while using the
functionality that you need most often. Only key combinations that
involve the keys Ctrl, Alt Gr, Shift and Space are supported. Please
note that if you use the Space key for any keyboard shortcut, you cannot
use it any more to tag or untag items. The second key can be relatively
freely defined by just pressing it when the grayed out edit box has the
input focus. In case no human-readable description of the selected key
is provided and you later forget what key you had defined, you can check
out this list of hexadecimal key codes:
https://msdn.microsoft.com/en-us/library/windows/desktop/dd375731(v=vs.85).aspx

The following ~80 directory browser menu command codes can
theoretically be used (not all tested) and have to be entered as a
number:

You will notice a few suspicious gaps in between the incrementing
numbers. The missing numbers are either unassigned or discouraged to
invoke or simply don't make much sense to define for a keyboard
shortcut. As an example for the latter, 9929 will delete selected search
hits or event, something that can of course be accomplished already by
pressing the Del key. This information shall reduce your urge to
randomly try numbers not listed here, although who knows whether one
undocumented number may trigger a secret "Find all evidence" command.

Please note that even without defining any such keyboard shortcut you
can reach all directory browser context menu commands purely with the
keyboard by pressing the context menu key. (Usually to be found between
the right-hand Windows key and the right-hand Ctrl key.) Some menu
commands already have a predefined keyboard shortcut. For example the
Enter key is the same as a double click (either View or Explore,
depending on your settings). The multiplication key of numeric keypad
triggers the Explore command. Del means Exclude. Ctrl+Del resets files
to the "still to be processed by volume snapshot refinement" state and
undoes some refinement operations. Ctrl+Shift+Del removes hash set
matches, hash category, and PhotoDNA categorization. Ctrl+Caps Lock+Del
removes the "file contents unknown" flag from a file. (Useful for
example if because of temporary I/O problems X-Ways Forensics marked
files that way although generally the files can be read just fine.)
Ctrl+C copies the selected items into the clipboard using special
settings of the Export List dialog window.

The user-defined keyboard shortcuts should be able to invoke practically
all commands from the main menu as well, and even if parts of the user
interface other than the directory browser have the input focus. If the
command code of a menu command changes in a future version, X-Ways
Forensics will ensure that any keyboard shortcut targeting that code
will automatically become inactive, to prevent accidental misuse. To
find out the command codes of commands in the main menu (also called IDs
of menu items), you can open the main executable file in a so-called
resource editor and have a look at the menu resource in your preferred
language. A highly recommendable light-weight example of such a tool is
"Pelles
C for Windows", which also happens to be a fine C compiler and
complete development kit suitable for creating
X-Tensions.
Keyboard shortcuts for main menu commands should be less important than
for directory browser context menu commands because the main menu
already has many dedicated keyboard shortcut predefined, or even if not
can be reached without taking one's hands off the keyboard starting with
the Alt key. To give you some ideas about useful applications, FYI the
command code to toggle between recursive and non-recursive exploration
is 122, and the command code to take a new volume snapshot is 109.

Command codes defined for filters
(The order is the historical order in which filters were introduced.)

New command line parameter "Cfg:", which determines
the name of the configuration file from which X-Ways Forensics will read
during start-up and to which it will write when terminating, in
situations when you need to use an alternative configuration (not the
one stored in the main WinHex.cfg file). For example useful if for
automated processing you need different settings than for manual
execution, with specific volume snapshot refinement operations selected
or to avoid the prompt whether a second instance should be started. Such
a parameter looks like "Cfg:My other settings.cfg". The quotation marks
are required only if the name contains spaces. The maximum length of the
name is 31 characters. Only ANSI/ASCII characters supported currently.

Text in message boxes that usually need to be clicked
away by the user is now redirected to the Messages window while
processing the command line parameters "AddImage" and "RVS". Dialog
boxes, if any, would still pop up normally.

The command line parameter AddImage can now be used
to add multiple image files to the case at the same time, with an
asterisk in the filename, such as "AddImage:Z:\My Images\*.e01".

The "AddImage" command line parameter now supports
optional sub-parameters to force interpretation of an image as either a
physical, partitioned medium (P) or a logical volume (V) and to force
interpretation with a certain sector size, where the sector size is
optional, e.g.

AddImage:#P#Z:\Images\*.dd
AddImage:#P,4096#Z:\Images\*.dd

If you do not specify these sub-parameters, a dialog window might pop up
to ask the user for this input, but only in some very rare cases. Only
if 1) it is not obvious to X-Ways Forensics from the data in the first
few sectors what kind of image it is and 2) if the image was not created
by X-Ways Forensics or X-Ways Imager and 3) if the image is in raw
format. Only if all three conditions are met at the same time plus you
do not specify the sub-parameters, then the dialog window will pop up
and interrupt automatic processing.

User Interface

Dedicated icon for evidence file containers in the
Case Data window.

Larger font in the text column display for UTF-16 for
better readability, especially of Chinese characters.

Avoided some rare graphical artifacts in the text
column display for code pages with a variable number of bytes per
character.

Text representations of dialog windows now by default
omit unselected list box items and unchecked check boxes and radio
buttons. This is a new option in the special menu that you get when you
click the small unlabeled button in the upper left corner of a dialog
window. It also affects the textual summary of active filters.

The Info window is now called Output window, as that
more precisely describes its purpose. And it now gets its own screen
coordinates and a centered position initially, and its coordinates are
remembered separately from those of the Messages window, as otherwise
some users seem to completely overlook that window, and they even
contact us when they don't see the output that they expect, although
it's visible on their screens.

New menu command available to collapse the entire
case tree when right-clicking the case title.

Carved files are now identified as such not only by
the Description column, but also by their icons, with by default either
a stylized C (Windows 7) or a hammer (Windows 10, unavailable in Windows
7). The exact character can be entered in the Options | Notation dialog.
Hopefully that way some users will no longer find it necessary to name
all carved files with a prefix like "Carved_".

The information that a file was originally a carved
file is now preserved in evidence file containers and shown in the
Description column and icon even for files within containers.

The special file icon for pictures now by default no
longer gets symbols like question marks, arrows, scissors, hammers, etc.
superimposed, which is easier on the eye. You can still tell the exact
deletion status from the Description column, and the rough
deletion/existence status is still obvious from the contrast of the
icon. However, if the box for this option is half checked, the icon is
displayed as in previous versions, with full details.

The command to view the selected file with a selected
external program now invokes the standard Windows dialog to pick such a
program.

Whether the viewer component or the internal graphics
viewing library should be used for pictures is now remembered by X-Ways
Forensics separately for Preview mode and the View command. For the View
command the behavior can be changed in Options | Viewer Programs.

When not allowing to view multiple pictures at the
same time with the View command and the internal graphics viewing
library, a new "Auto update" option is now available in Options | Viewer
Programs, which will refresh the View window for a picture immediately
when a new picture is selected in the directory browser, one way or the
other, for example with a single mouse click or when advancing to the
next file after defining a report table association. This behavior was
previously limited to the arrow keys in the gallery. It should be useful
mainly for work with multiple monitors.

Italian translation updated.

Miscellaneous

FlexFilters are now optionally case-sensitive.
Case-sensitive operations are always faster and should be used for
performance reasons unless you require otherwise.

Category pop-up menu statistics are retained when
activating the filter.

The blue funnel symbol on both sides of the caption
line of the directory browser is now always present when filters are
active, even if the filters do not actually filter out any items.

Byte-wise checksum computation for multi-byte
accumulators as was the standard in v18.9 and earlier is now an option
in Options | Security. The newer variant is to compute multi-byte
checksums by adding units that are equivalent in size to the accumulator
itself, e.g. 4 bytes for 32-bit checksums. Both variants exist in real
life applications.

Recover/Copy: Ability to specify the name of the log
file if the file is created in the output directory. Useful if you run
multiple Recover/Copy operations specifically for different purposes, to
produce one separate log file for each output.

Ability to open spanned LVM2 volumes if the other
disk is missing. Available data will be incomplete, but potentially
still very helpful.

Ability to open an evidence object that is a
directory even if that directory does not exist any more, to be able to
at least check out the volume snapshot again, using the command "Open
(without disk/image)".

We are pleasantly surprised that you are reading
every single bullet point. Thank you very much for your time.

Option to unload the hash database if loaded at the
moment when all data windows are closed (the moment when the last open
data window is closed), to save main memory or to specifically allow
other concurrent users or instances to change the hash database.

Ability to set the alternative name of a file by
holding the Shift key when renaming it (at the moment when clicking the
OK button).

The Technical Details Report now has an option to
show a byte-swapped version of hard disk serial numbers in addition to
the serial number reported through the operating system, when in doubt.
Some users of certain interfering hardware write blockers may find that
useful.

More complete representation of the logical memory
address space of 64-bit processes.

More tolerant to corruption in internal metadata
storage files.

Many minor improvements.

User manual and program help updated for v19.3.

Changes of service releases of v19.2

SR-1: Fixed inability of v19.2 to remember the
default volume snapshot refinement operations when run from the command
line.

SR-2: The option to show non-picture files in the
gallery is now represented by a three-state check box. If half checked,
only those non-picture files will be represented as thumbnails in the
gallery whose type can be confirmed or newly identified by X-Ways
Forensics. That means that files of unknown types and garbage files will
not be represented in the gallery any more. This will speed up the
gallery, reduce the number of thumbnails with just ASCII character
gibberish in them, and perhaps most importantly prevent an error in the
viewer component from occurring, which exhausts the pool of available
GDI objects (handles in the graphics device interface of Windows) in the
process and leads to graphical screen artifacts, loss of functionality
or even crashes. So far only files with garbage data are known to
trigger this error. The error is probably very rarely encountered when
specifically viewing or previewing individual files only, but when
reviewing large amounts of non-picture files in the gallery it becomes
more likely to occur. The error is known to Oracle as bug #25430258. No
fix has been made available yet.

SR-2: Images stored in nested subdirectories of the
case directory instead of directly in the case directory are now also
found immediately even if drive letter or absolute path of the case have
changed.

SR-2: Chinese translation of the user interface
updated.

SR-3: The time out for the generation of thumbnails
of non-picture files in the gallery is now the same user-defined value
as previously used only for pictures that are loaded by the internal
graphics viewing library. It can be adjusted in Options | Viewer
Programs. A smaller value may result in a faster display of the gallery,
but at the cost of interrupting the loading process of the viewer
component for some files, in which case the gallery tile shows "Error -
operation cancelled".

SR-3: v19.2 SR-2 did not properly execute external
viewer programs. That was fixed.

SR-3: Videos are now again represented in the case
report by their first extracted still as a thumbnail.

SR-3: If the output of the Compare function was a
text file and the comparison start offsets in the two data windows were
different, the second offset reported for a found difference was off.
That was fixed.

SR-3: Fixed a problem in LVM2 support.

SR-3: Fixed a rare exception error that could occur
when producing a registry report based on Reg Report Free Space.txt.

SR-4: Run counts from Windows 10 Prefetch files while
shown correctly in Preview mode were not extracted correctly into the
Metadata column. That was fixed.

SR-5: If original pictures were not included in the
case report, but thumbnails of pictures were supposed to be output,
those thumbnails were not generated for very small pictures. That was
fixed.

SR-5: Under certain circumstances the detection of
scanned images/PDF documents failed. That was fixed.

SR-5: The whole words only option of the Simultaneous
Search is no longer applied to search hits that are not words according
to the user's selected alphabet definition (checking only the first and
the last character in the hit). However, the GREP word boundary
indicator \b is still applied in such a case, for example to be able to
search for certain data in between words, data that is not considered a
word itself.

SR-6: The volume snapshot refinement option of v19.1
and later to omit files deemed irrelevant by the hash database also
omitted known uncategorized files if they were identified as such only
by a previous refinement run, with no re-matching. That was fixed.

SR-6: Fixed incorrect size of some few carved files
and avoided output of some irrelevant/damaged OLE2 objects.

Thank you for your attention! We hope to see you soon somewhere on
http://www.x-ways.net or on our
Facebook page.
You may also follow us on
Twitter! Please forward this newsletter to anyone who you think will be interested.
If you wish to subscribe with another e-mail address, please do so
here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 3232257 Bünde

#154: X-Ways Forensics,
X-Ways Investigator, WinHex 19.2 released

Mar 27, 2017

This mailing is to announce the release
of another notable update with many important improvements,
v19.2.

Customers may go to
http://www.x-ways.net/winhex/license.html
for download links, the latest log-in data, details about their update
maintenance, etc. Those customers whose update maintenance or license has
expired can receive upgrade/renewal offers from there.

Please be reminded that if you are interested in receiving information about
service releases when they become available, you can find those in
the
Announcement section of the
forum
and (with active access to updates) can subscribe to them, too, by creating
a forum profile. Please note that if you wish or need to stick with an older
version for a while, you should at least use the last service release of that version.
Yes, really.

KPF by Jedson
Technologies. Picture and video categorization previously known as
C4All. The X-Ways KPF version is the original C4All X-tension and does
everything and more than the original C4All did (but six times
faster), and is free. Other versions exist that produce output in
JSON/ProjectVic, XML, or other formats.
Presentation at Techno Security & Digital Forensics conference.

Disk I/O X-Tensions now cannot only intercept
sector-wise I/O at the disk level (for example to decrypt encrypted
disks or partitions on the fly and make X-Ways Forensics see the
decryption data), but can also intercept I/O at the file level (for
example to decrypt encrypted files). The new function to export for that
purpose is XT_FileIO. For details please see
http://www.x-ways.net/forensics/x-tensions/XWF_functions.html#A.

A new X-Tension API function named XWF_FindItem1
allows to conveniently find out the internal ID of a file with a given
name in a given directory.

What's new in v19.2?(please note that most changes
apply to
X-Ways Forensics only)

File Type Support

Files encrypted in Zip, RAR, and 7z file archives can
now also be decompressed and processed, provided that the password is
known or can be guessed. X-Ways Forensics will try any password listed
in either the password collection of the current case or a general
password collection. You can edit the password list right from
within the dialog window with the options for archive processing. The
case-specific password collection can also be edited from within the
case properties, and it is stored in a UTF-16 encoded text in the case
directory, named "Passwords.txt". The general password collection is
stored in a file of the same name in the installation directory or in
your Windows user profile directory. Almost all Unicode characters are
supported, including space characters and Chinese characters etc.
Remember passwords are usually case-sensitive.

If the collection contains the right
password for a particular file archive, that password will be remembered
in that file's extracted metadata and taken directly from there instead
of the case's password collection if needed again later to read files in
the archive. Alternatively, you can provide a specific password for a
particular file archive manually and directly by editing that file's
metadata, you just need to know that the password must be prepended with
"Password: ". (Note to French users: No space before the colon.) Files
within encrypted file archives are not treated and shown as encrypted
("e" attribute) if the right password was available at the moment when
the files were added to the volume snapshot. The archives themselves are
still shown with the "e!" attribute. RAR archives and 7zip archives in
which not only the file contents, but also the names are encrypted are
not currently supported.

Support for iOS's sms.db. All recorded conversations
via SMS are extracted to individual chat files. All messages are added
to the event database, where they can be filtered based on phone number
or email address.

Linux software RAIDs: Ability to recognize MD RAID
container partitions as such. They are represented as two distinct
items: A static header area that contains metadata about the RAID
(usually at relative offset 4096), and an explorable partition that
serves as a RAID component. In case of RAID level 1 that explorable
partition contains a fully self-contained volume whose file system can
be parsed normally (without any reconstruction effort) if supported. In
case of other RAID levels, the reconstruction can be accomplished with
the Specialist | Reconstruct RAID command, and some hints on the correct
reconstruction parameters are shown as comments attached to the header
area item. The result of the reconstruction will be a single volume,
which is represented as encompassed in a virtual physical disk. The RAID
components have to remain in the case as evidence objects for internal
reasons, to allow to re-open the reconstructed RAID with a single
mouse-click later.

Terminology: What was formerly designated as the
stripe size is now correctly referred to as the strip size. The stripe
size is the strip size multiplied by the number of RAID component disks,
i.e. a whole row.

Sector superimposition used to affect specifically
the disk/partition/volume represented by the data window to which it was
applied. From now on, it also has an effect on partitions opened from
within a physical, partitioned disk to which sector superimposition was
applied.

Ability to properly open partitions whose sectors
size is a multiple of the sector size of the underlying physical disk.
This is important for example for Windows storage space partitions in
Windows storage space pool disks. These partitions and disks have a
simulated sector size of 4 KB even if they reside on physical disks with
a sector size of 512 bytes.

The search for lost partitions now finds NTFS storage
space partitions within storage space container partitions despite
sector size discrepancies. The search for lost partitions is a useful work-around
to find and properly parse the actual payload partition in simple
single-disk Windows storage spaces.

GPT partition names are now shown in the Name column
as alternative names and should be helpful when examining Android phone
images containing large numbers of partitions, revealing their
respective functions.

Technical details report slightly more complete now
with partition names as per GUID partition tables.

Structure of Access button menu improved for
partitioned disks. (Access button is the official name of the button
with the white arrow, below the Sync button.)

Usability

When clicking the link to an attachment from within
the alternative e-mail preview, this now triggers the same action as if
that file had been viewed from within the directory browser. That means
that 1) it will be marked as already viewed, 2) depending on your
preferences, if it's a picture, it will be either presented by the
viewer component or the internal graphics display library, and 3)
depending on your other viewer settings the file may be opened in an
external program, for example if it is a video file.

In replace mode for report table associations, the
currently associated report tables are now automatically preselected, so
that it's less work and less error-prone to remove or add one report
table specifically.

The case directory is the directory that has the same
name as the .xfc case filename just without the extension. It is a
subdirectory of the cases directory. There is now special support for
the case directory as an image storage location. If images are moved to
the case directory first and then added to the case or if the path of an
existing image in the case is changed to that in the case directory with
the "Replace with New Image" command, these images will be referenced
internally without path, and thus the image can always be found
instantly even if the case is moved to a different directory or if the
drive letter changes. A case that has all images in its own directory
can be considered fully self-contained. References to images in the case
directory without path are understood by v19.0 SR-14, v19.1 SR-7, and
v19.2.

Changing the display time zone for an evidence object
that is a partitioned, physical disk now automatically also changes the
display time zone for all its partitions (dependent evidence objects).

Filters

A new filter concept was introduced, called
FlexFilters. Two such filters are available in WinHex Lab Edition,
X-Ways Investigator and X-Ways Forensics. They can target any column in
the ordinary directory browser (i.e. not search hit list or event list
specific columns) that the user wishes to focus on, with an arbitrary
number of substrings, and they can be combined with a logical OR or a
logical AND. So this makes them the only filters that can be combined
with one another with a logical OR.

For example, these new filters are useful if you wish to target files
that were created or modified not in a particular contiguous period of
time, but generally on certain weekdays or on weekends, i.e. where
either of these columns contain the word "Saturday" or "Sunday" in the
long date notation format. Also useful whenever the column-specific
column filter does not give you as many options as you need (e.g. for
Author, Sender, Recipients currently you can only enter one name or
address or substring, and with the Description filter you cannot
currently specifically target additional hard links that are optionally
omitted from certain operations).

The color that indicates that a FlexFilter is active is violet instead
of blue, so that it can be better distinguished from a regular column
filter. Both FlexFilters come with a NOT option, and they may also
target the same column, so that you can achieve results like "show all
e-mail messages sent with the name John Doe in the sender field where
the sender field does NOT contain the domain name company.com".

Right-clicking a column header in the directory
browser now quickly activates or deactivates that column's filter
without showing the settings dialog window, just like when left-clicking
the filter icon with the Shift key pressed.

Ability to output a textual summary of all currently
active filters with their settings, by right-clicking the blue funnel
symbol on the left or right end of the caption line of the directory
browser.

Volume Snapshot Refinement

Indexing is now permitted as a sub-operation of a
volume snapshot refinement run with multiple threads, though it is not
further parallelized itself when multiple refinement threads are active.

Previous hash set matches for all files in a volume
snapshot are not completely discarded any more when re-matching only
selected or tagged files. Now only previous matches for those particular
files are discarded.

A new option allows to restrict picture loading to
just 1 worker thread at a time, with a new check box next to "Picture
analysis and processing", either strictly (fully checked) or not so
strictly (half checked). Please give this option a try if you experience
exception errors or crashes when multiple pictures are processed
simultaneously.

Outputs a file named ResIL.log in case of certain
instability problems with picture processing for debugging purposes.

Viewer Component

On Jan 17, 2017, Oracle released a security patch
update from Dec 12, 2016 for v8.5.3 of the viewer component. The updated
version is downloadable from our web site since Jan 18, 2017. It is
probably recommendable for security reasons. A list of bugs fixed was
not made available. Two DLLs were updated: dewp.dll and vspdf.dll. They
are probably responsible for word processing documents and PDF files.

Miscellaneous

When taking a volume snapshot without sector level
access, e.g. of a remote network drive or a directory or a local drive
letter without administrator rights, overlong paths are now supported,
up to ~1000 characters long.

The most essential functions in X-Ways Forensics are
now able to open files with overlong file paths up to ~1000 characters
long (File mode, Preview mode, volume snapshot refinement, logical
search).

Thumbnails can now be created for and shown in the
case report even when not copying and linking the original files.

A notification sound is output when running a simple
linear search for a single match when that match has been found if the
program is running in the background, to alert the user.

Many minor improvements.

User manual and program help updated for v19.2.

Changes of service releases of v19.1

SR-1: Some commands in the directory browser context
menu in v19.1 did not always appear as they should have appeared. That
was fixed.

SR-1: An exception error that could occur in v19.1
when hashing files should no longer occur now.

SR-1: The JPEG quality detection now also works for
rotated JPEGs.

SR-2: Computing hash values and matching them against
hash databases was not done repeatedly in the original v19.1 release.
Now it is done repeatedly again, and that operation is now officially
documented as one of the operations that will be applied repeatedly to
the same files in a volume snapshot, the only other exception being
indexing.

SR-2: Many descriptions for registry events were not
output to the event list. That was changed. This improvement will also
be applied to v19.0 SR-13.

SR-3: Prevented a rare error with corruption of
decoded textual data when running a logical search with multiple worker
threads.

SR-3: The representation of search hits in the search
hit list is now based on the code page of the search hit in certain
situations where previously it was not. Improved code page based context
preview specifically for search hits in ISO-2022 code pages, where the
search hits and their surroundings may or may not be prepended directly
with a suitable escape sequence and may or may not be just ordinary
ASCII text.

SR-4: Support for one previously unsupported
component of the PIDL data structure in OpenSavePidlMRU items in the
Windows Registry.

SR-4: Fixed a stability problem in the Registry
Viewer.

SR-4: Index searches for two words that are delimited
by a space were unsuccessful in certain files. That was fixed.

SR-4: Some sent e-mails extracted from PST archives
were presented with erroneously inserted header lines. That error in the
extraction process was fixed.

SR-4: Fixed an exception error that could occur in
v19.1 when selecting files, events or search hits in the Case Root
window.

SR-5: Fixed potential hanging during XViD metadata
extraction.

SR-5: Prevented an exception error that could occur
at the end of indexing when not even a single word was found to index.

SR-6: Certain currently unsupported file system level
compression styles in HFS+ volumes are now recognized as such, and the
affected files will be shown with their correct file size and "only
metadata available" in the description.

SR-6: Fixed an exception error that occurred with
template variables within loops if their names were longer than 30
characters.

SR-6: Since v17.3, files with child objects and an
unknown hard-link count were potentially included in evidence file
containers multiple times. That was fixed.

SR-6: Page count of some special PDF documents now
reported correctly.

SR-7: Fixed an exception error that occurred in the
X-Tension API function XWF_CreateEvObj if the case was still empty.

SR-7: Gallery scroll position is reset when the
directory browser is re-filled.

SR-7: Uninitialized areas of NTFS-compressed files no
longer have an undefined status, but are now presented with the data as
stored on the disk, just as with ordinary (not compressed) files.

Thank you for your attention! We hope to see you soon somewhere on
http://www.x-ways.net or on our
Facebook page.
You may also follow us on
Twitter! Please forward this newsletter to anyone who you think will be interested.
If you wish to subscribe with another e-mail address, please do so
here.

Kind regards

Stefan Fleischmann

X-Ways Software Technology AG
Carl-Diem-Str. 3232257 BündeGermany

#153: X-Ways Forensics,
X-Ways Investigator, WinHex 19.1 released

Jan 19, 2017

This mailing is to announce the release
of another notable update with many important improvements,
v19.1.

Customers may go to
http://www.x-ways.net/winhex/license.html
for download links, the latest log-in data, details about their update
maintenance, etc. Those customers whose update maintenance or license has
expired can receive upgrade/renewal offers from there.

NEW: If when querying your licenses you do not
receive any e-mail message at your work address because your organization
is blocking the sending server, you now have the option (here)
to get the e-mails sent from an alternative server (different domain,
different IP address), for a second chance to actually receive something.

Please be reminded that if you are interested in receiving information about
service releases when they become available, you can find those in
the
Announcement section of the
forum
and (with active update maintenance) can subscribe to them, too, by creating
a forum profile.

Please note that if you wish to stick with an older
version for a while, you should use the last service release of that version. Errors in
older releases of the same version may have been fixed already and should
not be reported any more.

Upcoming
Training

Jan 27

Miami, FL

NTFS/XWFS2

Feb 13-16

London, England

X-Ways Forensics

Feb 20-23

London, England

X-Ways Forensics

Feb 27-Mar 2

Ottawa, ON

X-Ways Forensics

Mar 13-16

London, England

X-Ways Forensics

Mar 21-28

Victoria, BC

X-Ways Forensics, X-Ways Forensics II

Apr 11-12

London, England

X-Ways Forensics II

Apr 19-21

Washington DC area

X-Ways Forensics II, XFS

May 9-12

New York City

X-Ways Forensics

May 15-19

Boston, MA

X-Ways Forensics, NTFS/XWFS2

Please sign up for our training newsletter
here
if you would like to be kept up to date on classes in the USA, Canada, Europe,
and/or
Asia/Pacific.

What's new in v19.1?(please note that most changes
apply to
X-Ways Forensics only)

File Type Support

Support for Google's Chrome sync database, where
information can be found that is synchronized across devices, such as
bookmarks, form history, typed URLs, synced devices and much more. A
preview HTML file is generated, and events are output to the event list.

Ability to view upside-down Bitmap pictures with the
internal graphics display library and in the gallery. (To see them
flipped vertically, you currently have to view them with the viewer
component, though.)

TAR archive processing revised.

Fixed inability to process BZ2 archives.

More reliable detection of pictures as screenshots
(output as report tables "Screenshot" and "Screenshot?").

New report table "Scan" for PDF and JPEG files that
contain a scan. The detection is based on generator signatures
"PDF/Scan" and "JPEG/Scan".

Most JPEG pictures that were transcoded by Facebook
and downloaded from Facebook are now identified as such in the Metadata
column by their generator signature.

PDF metadata extraction improved especially for
Acrobat 10 PDF files.

Tentative extraction of Exif metadata fields that are
damaged in a certain way.

The type status "mismatch detected" now has an effect
on the assumed relevance of a file.

The relevance of a file now more reliably takes into
account whether or not a picture is a screenshot.

Improved stability while processing EDB databases.
Users of v18.8, v18.9, and v19.0 may replace their copy of the file
EDBex.dat with the new version that at first is tentatively included in
v19.1 only.

Sender and recipients are now also shown for MSG
files to which e-mail processing was applied, not only for the extracted
.eml file.

File System Support

Extended attributes in HFS+ are now optionally
included in the volume snapshot as child objects of the files or
directories to which they belong (in X-Ways Forensics only) depending on
a new 3-state volume snapshot option. If fully checked, extended
attributes are presented as child objects even when they have been
specially interpreted already by X-Ways Forensics internally. If half
checked (default setting in X-Ways Forensics), they are presented as
child objects only if they are not specially interpreted by X-Ways
Forensics assuming that the user might want to check them out manually.

Ability to open files with resident/inline storage in
HFS+.

Ability to recognize and open compressed files in
HFS+.

HTML previews are now generated during metadata
extraction for the GZ archives that contain Apple FSEvent logs.

Event extraction from Apple FSEvent logs.

Recognition of new file system level compression
style in NTFS under Windows 10.

In newly taken volume snapshots, alternate data
streams now show hard link counts in the same way as their parents, so
that the alternate data streams of additional hard links can be
optionally omitted from searches etc.

Disk Imaging

The descriptive text file that is generated for
images now points out the exact sizes in bytes of all segments of raw
images files and the exact chunk counts in all segments of .e01 evidence
files. If for whatever reason one or more segments get lost or
corrupted, this allows to create artificial placeholder segments of the
right capacity to fill in any gaps, such that all the data in subsequent
segments will have the correct logical distance from the data in
preceding segments, to preserve validity of pointers within the data
(partition start sectors in the partition table, cluster numbers in file
system data structures) as long as the original image file segments that
contain source and destination are available.

Ability to conveniently create dummy/makeshift
segments for .e01 evidence files that can substitute
missing/lost/corrupt original segments, with the File | New command. The
user specifies the required chunk size and the number of chunks as well
as a filename for the desired segment (must be with the correct
extension, identifying the segment number, not number 1). The data
written into the chunks is a recurring textual pattern ("MISSING IMAGE
FILE SEGMENT!" when running X-Ways Forensics in English), so that you
know that you are looking at a gap in between available data when
browsing the interpreted combined image later. The idea of such an
artificial dummy segment is that if correctly created it can serve as a
placeholder that ensures that data in subsequent segments has the
correct logical distance from the data in preceding segmented. Of
course, the hash of the entire image cannot be successfully verified any
more if the original data is not present, and of course, this
functionality should be used only as a last resort if there is no backup
of the missing segment file and if data recovery fails etc., and
creation and usage of such a dummy image file segment should be properly
documented. (forensic license only)

When interpreting an .e01 evidence file that contains
dummy segments, you will be notified, and the total number of
placeholder chunks are noted in the evidence object properties when the
image is added to the case.

If you require a placeholder for a single missing
segment of which you don't know the chunk size and chunk count because
the image was created without the new information in the descriptive
text file, this is how to find out: Change the filename extension of the
penultimate segment to that of the missing segment so that there is no
gap. Then rename the last segment to the now missing penultimate
segment. (If the missing segment actually is the penultimate one, the
last step is sufficient; if the missing one is the last, no renaming is
required at all.) Then add the image (first segment) to a case in X-Ways
Forensics as usually. X-Ways Forensics will bring the misnamed segment
to your attention in the Messages window, which can be ignored. Check
the evidence object properties for the chunk size as well as the
expected chunk count and the actually referenced chunk count. Subtract
the actually referenced chunk count from the expected chunk count. Now
you know how many chunks are missing. Change the filename extension back
to what it was before, and then create the missing dummy segment with
the correct chunk size, correct chunk count, and correct extension.

With a variation, this approach also works if multiple consecutive
segments are missing, just you rename more available segments to fill
the gap in the first step, and you create as many dummy segments as
necessary to fill the gap. Which dummy segment exactly contains how many
surrogate chunks is not important as long as the total number of
surrogate chunks must account exactly for the total number of missing
chunks. If multiple discontiguous segments are missing, suitable dummy
segments can only be created with the new information from the
descriptive text file.

Volume Snapshot Refinement

Multi-threading: Option to set the number of worker
threads to 1, which means that one extra thread is started for
processing, separate from the main thread, so that GUI interaction is
possible without time lag. Useful for example on a terminal server with
many concurrent users, where you should not start too many threads, but
may want to be able to at least use the GUI quickly. If the number of
additional threads is set to 0, that means processing is done like in
v19.0 with 1 thread or generally in v18.9 and before by the main thread
itself, so that GUI interactions may be slow.

Ability to pause multi-threaded operations with the
Pause key.

It is now possible to omit not only known irrelevant
files, but also known relevant files from further volume snapshot
refinement. Useful for example if in large cases you have or expect
really many such files and having proof of their presence is sufficient
for you and you don't need to extract their internal metadata, don't
need to compute their skin tone percentages or PhotoDNA hashes, and
don't need to check them for embedded data etc.

If matches are returned from regular hash databases
as well as the PhotoDNA hash database at the same time with conflicting
categorizations, the "more severe" category prevails: unknown < known
good < known, but uncategorized < known bad

The option to mark a file as already viewed when it
gets categorized as irrelevant is now applied to the combined result of
ordinary hash database and PhotoDNA hash database matching.

Internal metadata is now extracted into the Metadata
column only from files of selected categories.

Options | Security | "Collect information for crash
report" is now a 3-state check box. If fully checked, should volume
snapshot refinement crash the program, restarting the program will also
point out which suboperation exactly was applied to the problematic
file(s) when the program crashed. It has not been tested whether this
enhanced granularity of logging might cause any noticeable slowdown.
There may be multiple candidates for the problematic file that triggered
the instability if multiple worker threads were active at the time of a
crash. Unlike in v19.0, all of them are now logged, and they are now
presented with the help of the Int. ID filter upon restart.

Report Tables

When checking for duplicate files based on hash
values, identical files can now optionally be grouped in dedicated
report tables so that you can conveniently list each group of duplicates
in the directory browser with the report table filter, for example to
find out which copy of the file was created first, which was was touched
last, which one might be of most evidentiary value based on metadata
such as path etc. Unlike marking duplicates as so-called related items,
report table grouping works even across evidence object boundaries, so
you are not limited to comparing duplicates within the same evidence
object.

Report tables that represent groups of duplicate
files are highlighted in turquoise. In total there are now 5 different
kinds of report tables: 1) user-created report tables, for example for
report purposes, 2) report tables created by X-Ways Forensics to make
the user aware of special properties of files, 3) report tables
representing search terms that are contained in a file, 4) report tables
representing hash sets in which a file was found, 5) report tables
representing groups of duplicate files.

The maximum number of report tables in a case was
increased from 256 to 1000.

To avoid a bloated list of report tables available
for selection during report creation, report tables are now offered in
that dialog window only if they are actually intended for report
purposes. That is assumed by default for all user-created report tables.
And you can toggle the report purpose of each report table in the report
table association dialog window, by assigning or removing the "star"
symbol.

When taking a new volume snapshot, all report table
associations in that evidence object are discarded. If that completely
empties a report table that is not marked as intended for report
purposes, such a report table will now be automatically deleted from the
case at that occasion.

Usability & User Interface

Options | Viewer Programs now offers grayscale
thumbnails for true-color pictures in the gallery. This option is meant
for law enforcement users whose job is to review child pornography
photos, to reduce the mental impact and stress level.

A new 3-state check box in General Options prevents
Windows screensavers from starting and potentially requiring to re-enter
the current user's password, either only during operations that show a
progress indicator window (if half checked) or generally while the
program is running (if fully checked). This option has an effect no
matter whether the main window is visible or whether the program is
running in the background. Useful for example when acquiring a live
system of which you don't want to lose control during imaging, or if you
wish to keep an eye on the progress indicator on your own machine from
another corner in your office.

More user-friendly behavior when trying to change the
edit mode in data windows where that is not allowed because of not
running X-Ways Forensics as WinHex or because of the strict drive letter
protection.

Convenient option to automatically open the output
directories of Recover/Copy after completion.

In Edit | Define Block it is now optionally possible
to enter the size of the block instead of its end offset. And it is now
possible to enter the start and end of a block in terms of sector
numbers instead of offsets directly.

The option to use the viewer component also for
pictures is now presented as an easy-to-reach button in Preview mode,
named "VC", so it is now much quicker to switch between the internal
graphics viewing library and the separate viewer component. Previously,
users had to go to the Options | Viewer Programs dialog window for that,
for example to get a second opinion in case of corrupt pictures. Also,
some users probably had this option always enabled simply because they
thought it was a "must" to view pictures with the viewer component, to
get pictures displayed at all, not knowing that pictures are by default
displayed by the internal graphics viewing library in X-Ways Forensics.

Directory icons for evidence objects that are
directories, in the Case Data window, so that they can be distinguished
from volumes.

Under Windows Vista and later, attachments are now
conveniently linked from the alternative e-mail representation in
Preview mode.

Tidied up Case Data context menus.

French translation of the user interface updated.
(Not guaranteed to be error-free.)

Check boxes with long text labels in Romance
languages that get truncated because of the limited space available now
automatically come with tooltips that reveal the complete text when
hovering the mouse cursor over the control.

The XWF_CreateFile function now supports a new flag, which allows to
create files in the volume snapshot with data as provided in a buffer.

Documentation updated.

Miscellaneous

The Full path column now comes with a filter.

New options when importing or creating hash sets in
the ordinary hash databases and the block hash database. Duplicate hash
values that are already contained in the hash database can either be
removed from the newly created or newly imported hash set or from all
existing hash sets, to keep the hash database more compact/less
redundant.

A new command in the Case Data window's context menu
allows to mark an evidence object with a light bulb icon as a visual aid
to locate it if important.

Another new command in the Case Data context menu
allows to conveniently make a backup of the selected evidence object's
volume snapshot. Backups can be restored at any later time with the same
command, and they can also be deleted with the same command (right-click
an item in the list of backups to get the Delete command). Such a backup
is like a snapshot of the volume snapshot. Useful if you think you might
want to revert to a certain processing stage later (i.e. undo changes to
the volume snapshot), for example after having carefully tagged
thousands files that you don't want to lose, before running a file
header signature search with experimental settings that might produce a
lot of garbage files, before attaching external files with options that
you had never tried before, before running an X-Tension made by a 3rd
party, before totally removing excluded items from the volume snapshot
etc.

Report table associations, events, and search hits are also included in
the backup. Search hits can be restored from a backup only if the search
term list of the case did not change in the meantime. Indexes are not
included in the backup, but can be manually backed up, of course.

The same command applied at the case level
(right-click the case title in bold for that) allows to make a backup of
the entire case, covering all evidence objects' volume snapshots, all
report tables, events, search terms, search hits, indexes, image file
paths, etc. etc. Such backups can be restored from the same dialog
window. Such backups can also be opened directly with the Open Case
command if necessary, as they are complete copies of a case. (Backup
.xfc file are created with the "hidden" attribute, though, as they are
meant to be dealt with within X-Ways Forensics only.)

Duplicate files can now also be recognized by the
secondary hash value.

Duplicate files can now also be recognized by
identical start sectors (within the same evidence object).

It now possible to optionally ignore additional hard
links when checking for duplicate files.

Option to print selected fields on the cover page in
bold letters and in a different color, to point the attention of the
reader to a certain aspect.

Separate notation options for the case report just
like for exported lists.

FYI, two users confirmed independently that the
anti-virus software Webroot SecureAnywhere causes random crashes
(program terminations) in X-Ways Forensics. So it is not recommended to
use the two on the same computer at the same time.

Many minor improvements.

Some minor fixes.

User manual and program help updated for v19.0.

Changes of service releases of v19.0

SR-1: Fixed inability of v19.0 to recognize a few
file types (those with the "x" flag), including SQLite 3.

SR-1: Fixed an instability problem in the registry
viewer.

SR-1: Fixed crashes that could occur since v18.9 when
extracting metadata from certain Linux PNG thumbnails.

SR-1b: Fixed an error in File mode in X-Ways
Investigator.

SR-2: Fixed inability of v19.0 to read a few sectors
on very large hard disks.

SR-2: Fixed error in file type verification and
uncovering embedded data when run with multiple threads.

SR-2: Fixed an error where attachments were not
extracted from certain .eml files.

SR-2: Fixed new option to link attachments from HTML
previews of e-mails in the case report.

SR-6: Fixed a potential infinite loop that could
occur during a file header signature search for Zip archives when data
of JNX files was found.

SR-6: Upward searches did not run correctly in v19.0.
That was fixed.

SR-7: Support for previously unsupported SQLite
database files.

SR-7: Multi-threaded operations generally more
reliable now.

SR-7: When matching the files in a volume snapshot
against hash databases more than once, previous matches according to the
"Hash set" column are now automatically discarded. The hash category
remains. This is for performance reasons. Keeping previous and new
matches consistent and free of duplications potentially took a lot of
time and was not optimized. Users of v18.7 through v18.9 have the option
to discard hash set matches and categorizations for selected files with
Ctrl+Shift+Del first to accelerate re-matching.

SR-9: Warns the user of GUID conflicts among Windows
dynamic disks if open at the same time, to prevent wrong volume-disk
connections.

SR-10: Fixed inability of v19.0 SR-8 and SR-9 to make
certain changes to PhotoDNA databases.

SR-10: The category of PhotoDNA hash database matches
no longer supersedes that of regular hash database matches during the
same snapshot refinement run.

SR-10: Fixed a potential crash that could occur when
extracting metadata from $UsnJrnl:$J.

SR-10: Fixed an exception error that could occur when
uncovering embedded data from PE executable files.

SR-11: Newly identified 3GP files were erroneously
assigned to the category "Other/unknown type" by the file type
verification in v19.0 SR-1 and later. That does no longer happen now.

SR-11: X-Tension API: Two new kinds of evidence
object IDs can now be retrieved with the XWF_GetEvObjProp function
(nPropType 3 and 4).

SR-11: Fixed inability of v19.0 to copy certain files
along with the case report under certain circumstances if the type
status was "newly identified".

SR-12: Fixed an I/O error that could occur when
extracting e-mails from e-mail archives while multiple threads were
active.

SR-12: Full filename matches in the Type filter did
not count if the type status was "newly identified" or "confirmed". That
was fixed. In v18.8 and later, full filename matches should have been
ignored only if the type status was "mismatch detected".

SR-12: Fixed an exception error or crash that could
occur under certain circumstances when opening partitions in X-Ways
Investigator without opening the parent disk first.

SR-12: LVM2 container partitions are now interpreted
properly even if the designated partition type in the MBR or GPT is
wrong.

Thank you for your attention! We hope to see you soon somewhere on
http://www.x-ways.net or on our
Facebook page.
You may also follow us on
Twitter! Please forward this newsletter to anyone who you think will be interested.
If you wish to subscribe with another e-mail address, please do so
here.